I initiated regular coverage of the biotech industry at Forbes, and wrote many of the early stories on genomics, personalized medicine, and the automation of drug making. I also launched the Arabic edition of Forbes, and oversaw what became highly influential lists in the Middle East, such as the 50 Most Powerful Arab Businesswomen. Qaddafi's daughter really wanted to be on it, and George Bush mentioned the list at the World Economic Forum. In between, I helped my father, a nephrologist, form a start-up that develops software to assist general practitioners in diagnosing patients. It is part of the exciting new field of health information technology, and it is going to shape the way we interact with our doctors.
Follow me on Twitter @ZinaMoukheiber

Is This Patient Privacy Crusader Doing More Harm Than Good?

If the electronic health records industry has a nemesis, it’s Deborah Peel, the founder of Patient Privacy Rights. At a time when doctors and hospitals are digitizing their paper medical records as mandated by the government, Peel, a psychiatrist, has been the most vocal agitator against loss of patient privacy. In Peel’s world, malefic forces in the U.S. government and corporations prey on unsuspecting patients by rummaging through their history/physical. “Once your information is released, it’s like a sex tape that lives in perpetuity in cyberspace,” she once told The Dallas Morning News. Peel hasn’t responded to emails seeking comment.*

Despite the hyperbolic statements, Peel has some valid points, namely the possibility that a patient record stripped of identifiers, can be re-identified. A growing side business for EHR vendors is mining anonymous patient data that is used to track health trends or to organize clinical trials, among other applications. It is an issue that the government’s Office of the National Coordinator for Health Information Technology is looking into. ONC has also just released its Guide to Privacy and Security of Health Information for doctors, reminding them that mishandling medical information will erode their patients’ trust. Whether safeguarding privacy involves doctors, hospitals, or EHR vendors, careless handling of sensitive patient data is a sure way to destroy a reputation.

But as the health care industry moves to implement other facets of the HITECH Act, such as health information exchanges that enable different health care providers to transfer patient information across the country, there is a real chance that medical errors will not diminish with the implementation of EHRs. The reason harks back to a 1999 law that prohibits funding to promote the adoption of a unique patient identifier, despite the fact that HIPAA which enforces privacy and security rules is supposed to develop such an identifier. Privacy advocates, such as Peel, are blocking it because of the potential for identity theft.

Health care providers will have to resort to statistical matching to identify patients—not an easy feat. Take Harris County, Texas. There are 2,448 patients called Maria Garcia, and 231 share the same birthday. (Hospitals in Harris County had to install palm scanners to make sure they are treating the right patient).

“Everyone is doing their own thing,” says Sharon Canner, director of advocacy for CHIME, an organization representing hospital chief information officers. “If you want to exchange information across the country, you need consistency.” CHIME is pressing the Government Accountability Office to fund a study on the costs and benefits of “implementing a consistent approach to matching patients with their data.” It would include evaluating “technologies and best practices for assuring patient data matching while enhancing patient information privacy and security.”

Update

Deborah Peel did get back to me after I published this piece, and was eager to comment. She doesn’t support CHIME’s initiative. “It [a standard for patient matching] is a bad system. Look at what social security has done for you. It’s incredibly destructive for privacy. You don’t need to have one number; it will just make people wary of seeing doctors or telling them about anything sensitive. People will actually stop seeing doctors for sensitive conditions because they know any doctor, nurse, or insurance employee with their number can get those records. These IT systems were not designed for health records, the technology was designed for ordinary business operations. Patient-centered systems would put patients in control of who can see or sell their records, not doctors, hospitals, and insurers.”

Her solution: “Patients can match themselves.” Patients should consent to who has access to their medical information, and should be able to select which parts they want to disclose.

Read this Rand Corp. study which concludes that a unique patient ID will reduce errors. It was partly funded by Cerner, an EHR vendor.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Great article, and something we, and most EHR vendors, have been dealing with of late. HealthFusion shares CHIME’s opinion on Meaningful Use Stage 2 comments, as we discussed in a recent blog post (http://ow.ly/aPT7o). Healthfusion does not sell patient data, stripped of identifiers or otherwise. EHR vendors that do sell patient data, like the “free EHR” vendors, are on an extremely slippery slope, and their users and their patients should be very concerned — not to mention the eRx advertisements on every screen. We have written extensively about the catch-22 of “free EHRs” in a past blog post: http://blog.healthfusion.com/index.php/ehr-adoption/free-ehr-software/ Health information exchange (HIE) is essential for the true meaningful use of EHRs/EMRs, so a sharing standard must be enforced eventually or risk losing the progress that’s been made and the millions that have been spent.

The fact that the US is the only country in the world without a national identity number is thanks to people like Ms. Peel who put populism anti-establishment sympathy before security common-sense to the extent of contradicting her own self-proclaimed interests of placing patients in charge of their health records.

Because the US does not have a national ID, every hospital, doctor and healthcare provider has their own keys. This requires extremely large numbers of system interfaces, many of which are maintained on poorly-maintained Windows servers in doctor practices.

Except for cases where hospital employees lose paper records on trains, all of the big patient data breaches involved vulnerabilities in system interfaces or during data transfer between systems.

In information security management, this is called a “threat surface”; and the more interfaces you have, the bigger threat surface you have.

If the United States were to institute a single national id number – 4 outstanding things would happen:

1. The threat surface for patient data breach would be drastically reduced. 2. The costs of health IT implementation and maintenance would be drastically reduced – since far fewer interfaces would be involved 3. Security breach monitoring would be far more effective (and in line with HIPAA regulation) since systems would be monitoring for the national ID + PHI 4. Ms. Peels vision of consumer-control would be realizable since every system a patient engages with would use the same national ID number, which would be well known to the patient. It would be as simple as calling up your doctor and saying “Please send me all my records (for national ID xxxxx) under the Freedom of Information Act.

Unfortunately, the lights are on, but no one is home when it comes to privacy in the White House as Mr. Obama, who thinks terror is for Hollywood and healthcare is for politicians is more interested in reelection than protecting the privacy of Americans.

See http://pathcareblog.com/right-now-theres-no-one-at-home-at-the-white-house-when-it-comes-to-privacy/